Hacktool.Rootkit

Hacktool.Rootkit is a detection name used by Symantec to identify malicious software programs that allows attackers to break into a system and hide the attack from the users.

Hacktool.Rootkit may include a back door allowing a remote attacker to access the compromised computer. They can be made up of a variety of programs and scripts that gain root access on a system and attempt to hide evidence of the intrusion.

There are two main types of rootkits:

User-mode rootkits:
User-mode rootkits manipulate processes, services, and applications by targeting system calls sent from applications run by a user.

Kernel-mode rootkits:
The kernel-mode rootkit is more sophisticated since it takes control of the operating system by hooking and manipulating system calls and APIs at a lower level.

Once installed, a rootkit may perform any of the following actions on the compromised computer:

Avoid detection

Hide files and folders

Hide malicious code

Hide network connections

Hide system processes

Log keystrokes

Modify systems

Open a back door

If a Symantec antivirus product displays a detection alert for this threat, it means the computer is already protected and the Symantec product will effectively remove this threat from the computer.

Antivirus Protection Dates

Initial Rapid Release version September 27, 2001

Latest Rapid Release version September 09, 2019 revision 023

Initial Daily Certified version September 27, 2001 revision 007

Latest Daily Certified version August 15, 2019 revision 002

Initial Weekly Certified release date September 27, 2001

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Technical Description

Hacktool.Rootkit is a detection name used by Symantec to identify malicious software programs that allows attackers to break into a system and hide the attack from the users.

Background information
Rootkits first appeared on the UNIX operating systems in the 1990's.
Rootkit was a term originally used to describe programs that were used primarily to gain root access on a system and hide the traces of the attack. Administrator/Superuser accounts on UNIX systems are called root and the original software used in the attacks were multi-part software tool sets, hence the name "rootkit". The term rootkit is now often used to refer to software that can be used to hide its own presence or the presence of other files and system changes on a computer.

There are two main types of rootkits:

User-mode rootkits:
Applications run by a user accesses the kernel by making system calls. The system calls follow a predefined path, which allows the user-mode rootkits to intercept and manipulate the system call at different points on the path. The user-mode rootkit may also use a DLL injection technique where the malware code is injected into system DLLs. This allows the rootkit to be memory resident since the infected DLL runs in the memory allocated to its related application.

Kernel-mode rootkits:
The kernel-mode rootkit is a more sophisticated type of malicious software since it takes control of the operating system at a low level by hooking the system calls through the following methods:

Native APIs using the NTDLL.dll

Direct Kernel Object Modification (DKOM)

System Call Table like the Service Descriptor Table (SSDT)

Export Addresses table (EAT)

Interrupt Descriptor Table (IDT)

Import Addresses Table (IAT)

Who creates rootkits?
Rootkits are created by malware writers to employ a variety of techniques to gain access to and hide their presence from the users and security-related applications on the compromised computer. The creation of rookits are likely to be an aid to profit making malware operations, by incorporating rootkits into a malware attack, the authors of the malware can hope to enable the malware to remain undetected for longer.

What happens after Hacktool.Rootkit is installed?
Once installed the rootkit will attempt to hide any evidence of the intrusion. Attackers can use them to gain administrator or superuser access or through a remotely accessible back door on the compromised computer to perform virtually any activity without the end user knowing of the presence of the intrusion.

What can Hacktool.Rootkit do?
Once installed a rootkit can gain control of your computer and can be configured to do many actions on the computer, including any of the following:

Avoid detection

Hide files and folders

Hide malicious code

Hide network connections

Hide system processes

Log keystrokes

Modify systems

Open a back door

Steals confidential information

Are there any tell-tale signs?
Since rootkits go to extensive means to avoid detection, there are typically no tell-tale signs that can be readily seen by the user when using the compromised computer.

What are the risks?
Rootkits pose a relatively high risk of damage or loss to the user if they can remain undetected and active for a significant time. The minimum risk a user may face include the hiding of files or folder and potential performance loss due to activities performed by the malware or remote attacker. The maximum risk a user may experience can include identity theft when confidential information is stolen, use of the computer by a remote attacker to perform illegal activities, and the download and installation of other malwares.

What can I do to minimize the risks?
As a general rule, users should always run up-to-date antivirus software with real-time protection such as Norton Antivirus, Norton Internet Security, Norton 360
, or Symantec Endpoint Protection
. In addition, a firewall - or better still, an Intrusion Prevention System (IPS) - will help to block back channel activities initiated by these types of malicious programs. Program controls such as those found in Symantec Endpoint Protection can also help to prevent unknown programs such as these from executing in the first place.

Removal

You may have arrived at this page either because you have been alerted by your Symantec product about this risk, or you are concerned that your computer has been affected by this risk.

Before proceeding further we recommend that you run a full system scan. If that does not resolve the problem you can try one of the options available below.

FOR NORTON USERS
If you are a Norton product user, we recommend you try the following resources to remove this risk.

FOR BUSINESS USERS
If you are a Symantec business product user, we recommend you try the following resources to remove this risk.

Identifying and submitting suspect files
Submitting suspicious files to Symantec allows us to ensure that our protection capabilities keep up with the ever-changing threat landscape. Submitted files are analyzed by Symantec Security Response and, where necessary, updated definitions are immediately distributed through LiveUpdate™ to all Symantec end points. This ensures that other computers nearby are protected from attack. The following resources may help in identifying suspicious files for submission to Symantec.

MANUAL REMOVAL
The following instructions pertain to all current Symantec antivirus products.

1. Performing a full system scan
For information on how to run a full system scan using your Symantec product, follow the guidance given in the product's Help section.

2. Restoring settings in the registry
Many risks make modifications to the registry, which could impact the functionality or performance of the compromised computer. While many of these modifications can be restored through various Windows components, it may be necessary to edit the registry. See in the Technical Details of this writeup for information about which registry keys were created or modified. Delete registry subkeys and entries created by the risk and return all modified registry entries to their previous values.